As file change detection software, you can imagine it has to provide commands for registering the file attributes and the file content's checksum; and then it has to have commands for verify whether the file's attributes or content has been changed or not; And then, when the verification report indicated some files have been changed, and after investigation, you find those changes are normal because you have applied some patches to the system, or the data has been updated as it now has more things, so the software has to provide commands for updating the registry so that the records for those files get updated, and if no further change, next scan won't report the same change again.

When use WZSysGuard commands, always remember WZSysGuard uses "class" to cover different files or handle some files for different requirements.

So, when you check the WZSysGuard report, you should always relate each report item with the class it's in, and then work on it accordingly.

So here are the main commands WZSysGuard provides to let you perform those tasks:

•

wzsgreg
Usage: wzsgreg [-n] [class ...]
This command is to register both file attributes and content checksum for classes specified or all the active classes.
When there are existing registry files, you should use "-n" option to save the existing files and generate new ones.

•

wzsgchkUsage: wzsgchk [-i] [class ...]
This is the command to check whether there is any file got changed based on based on the registry files' records. If no class name is provided on the command line, it will check for all active classes.
It will first check the corresponding registry file's checksum, to make sure the registry file itself was not tempered with.
Then to make sure the checksum record's integrity, you can run wzsgchk with the "-i" option: this will prompt you to key in checksum protection password, and then if you provided correct password, it will confirm whether the checksum recorded is broken or not.

•

wzsgaupd
Usage: wzsgaupd {-d|-m bbbbbbb|-u} {class|Attribute_File} [file ...]
This is the command for updating file attributes record. For file attributes record, there are 3 types of updates you may want to achieve
1. Delete the file record, e.g. when the file is no longer there permanently:
wzsgaupd -d {class|Attribute_File} [file ...]
2. Just update the record with current values.
wzsgaupd -u {class|Attribute_File} [file ...]
3. Turn on/off monitoring for those attributes such that when some files' certain attributes will change during normal operation, e.g. those pseudo tty devices will change ownership depends who is using that device, you can turn off the ownership attributes monitoring for those files. For to do such kind of update:
wzsgaupd -m bbbbbbb {class|Attribute_File} [file ...]
here, bbbbbbb is a 7-bit binary number, with each bit's meaning follows:
bit 1 for p: object's permission.
bit 2 for o: object's owner.
bit 3 for d: device's Major/Minor, or link's target.
bit 4 for g: object's group owner.
bit 5 for t: object's type.
bit 6 for e: object's existence.
bit 7 for c: object's change time (mtime).
To turn off mtime monitoring for /dev/stdin, you can
wzsgaupd -m 1111110 link /dev/stdin
and to turn that back on:
wzsgaupd -m 1111111 link /dev/stdin

For all the 3 types of usages, you need either specify target registry file using class name, or give the path to the attributes registry file. And for files that need be updated in the same way, you can either list the file path for each of the files one by one on the command line, or save them in a file with one line one file format and feed to the standard input of the command.

•

wzsgcupdUsage: wzsgcupd {-d|-m|-u} {class|content_registry_file} [file ...]
There are also 3 types of updates you may want to achieve:
1. Delete the file record from the registry, as the file no longer there or removed from the class.
wzsgcupd -d {class|content_registry_file} [file ...]
2. Mask the file: the file content will always change for normal, so no use to monitor the content.
wzsgcupd -m {class|content_registry_file} [file ...]
3. The file content was changed due to normal update, so need to update the record with the new content:
wzsgcupd -u {class|content_registry_file} [file ...]

Similar to wzfgaupd, you need either give class name or the content registry file path to identify which registry file you want to update to. As for files that records need be updated, you can either list them on the command line, or save them to a file and feed the file content to the command's standard input.

•

wzsglogp
Usage: wzfglogp class category reportfile
This command is for helping to retrieve file names from scan report.
Here, the class is the name of the class you want to retrieve the files from.
Category could be "a" for attributes, "c" for content checksum, "fa" for files
which attributes unregistered, and "fc" for files which content unregistereds